如何使用Spring和Active Directory实施单一登录 [英] How to implement Single Sign On using Spring and Active Directory

问题描述

我有一个基于Spring的Web App，我想在其上实现Single Sign On解决方案.

I have a Spring based Web App which I would like to implement a Single Sign On solution on.

基本流程为:

1)用户登录Windows Workstation/台式PC(通过组织的Active Directory进行身份验证)

1) User logs in into Windows Workstation/Desktop PC (authenticating against organisation's Active Directory)

2)用户打开浏览器并导航到Spring Web App.

2) User opens browser and navigates to Spring Web App.

3)Spring Web App以某种方式 确认用户已经针对AD进行了身份验证，并无缝地允许他们进入，即，无需挑战用户名和密码.实际上，Spring Web应用程序永远不会显示登录表单.

3) Spring Web App somehow confirms that the user is already authenticated against AD and seamlessly lets them in. i.e. no challenge for username and password. Infact, the Spring web app would NEVER show a login form.

很明显这是我遇到的第3步.

Obviously it's step 3 I am having trouble with.

我看过Spring Security，Kerberos，SPNEGO，但是我觉得自己很困惑.

I have looked at Spring Security, Kerberos, SPNEGO but I think I've just confused myself.

如果有所作为，我将在Spring 3上的Jetty上使用Java6.Jetty实例将在* Nix机器上运行.

If it makes a difference I am using Java 6, running on Jetty with Spring 3. The Jetty instance will be running on a *Nix machine.

推荐答案

我已经为我的客户实现了同样的功能.我们在基于Spring的Web应用程序(充当服务提供者)中使用spring-saml，并在Identity Provider(IDP)中使用ADFS.

I have implemented the same thing for my client. We are using spring-saml in our spring based web application (acts as Service Provider) and ADFS as Identity Provider(IDP).

您可以从此链接(用于配置部分).如果您遇到任何与实施或设置问题有关的问题，我将为您提供帮助.

You can take help from this link for configuration part. I will help you out if you face any problem related to implementation or setup issue.

基本上，您的网络应用将充当SP，ADFS被视为IDP.您需要交换两个元数据文件，这些元数据文件不过是用于通信的证书.

Basically your web-app will act as SP and ADFS will be treated as IDP. You need to exchange both metadata file which is nothing but a certificate for communication.

这篇关于如何使用Spring和Active Directory实施单一登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！